b"05/24/07       THU 12:03 FAX 865 241 3897               OIG\n                                                        0-4                                  H\n                                                                                             HQ                     1001\n\n\n     DOE F 1325.8\n     (08-93)\n     United States Government                                                                  Department of Energy\n\n      memorandum\n               DATE:\n                 DAT     May 24, 2007                               Audit Report Number: OAS-L-07-12\n           REPLY TO\n           ATTN OF:    IG-32 (A07DN010)\n\n           SUBJECT:    Audit of Continuity of Operations at the Western Area Power Administration\n                 TO:   Administrator, Western Area Power Administration\n\n                       INTRODUCTION AND OBJECTIVE\n\n                       The Western Area Power Administration (Western) markets and delivers cost-based\n                       wholesale hydroelectric power to its customers. Western's wholesale customers in\n                       its four regions - Rocky Mountain, Desert Southwest, Sierra Nevada, and Upper\n                       Great Plains - provide service to millions of consumers within a 15-state marketing\n                       region in the central and western United States.\n\n                       With electricity being such a vital commodity, it is of utmost importance to ensure\n                       that Western is prepared to continue operations during an emergency or situation\n                                                                                                             that\n                       may disrupt normal operations. Western is required to follow the Federal\n                       Preparedness Circular 65 (FPC 65) - guidance issued by the Federal Emergency\n                       Management Agency - for developing contingency plans and programs for\n                       continuity of operations. This guidance includes (1) identifying essential\n                                                                                                     functions;\n                       (2) preparing alternate operating facilities; and (3) establishing a devolution plan of\n                       continuing operations in an event where the Federal entity is incapable of performing\n                       essential functions from either its primary or alternate facility.\n\n                       One of Western's essential functions is system operations, which provides control\n                       over the generation and delivery of electrical energy. Therefore, the objective\n                       audit was to determine whether Western performed key steps to ensure continuity of the\n                                                                                                           of\n                       operations for its system operations' essential functions..\n\n                       CONCLUSIONS AND OBSERVATIONS\n\n                       Although Western had taken a number of key steps to ensure continuity of operations\n                       for its system operations' essential functions, it could improve its continuity\n                                                                                                       of\n                       operations strategy in its four regions. Specifically:\n\n                          * Two regions need to improve their system operations' alternate operating\n                            facility;\n                          * All four regions need to improve their system operations' devolution\n                                                                                                  plan for\n                            continuing operations if both primary and alternate facilities become\n                            inoperable.\n\x0c05/24/07   THU 12:03 FAX 865 241 3897                OIG                             * -,HQ                      Z2002\n\n\n\n\n                  Alternate Operating Facilities\n\n                   The Upper Great Plains Region's alternate operating facility is not independent of the\n                   primary operating facility. Specifically, the information systems used to monitor and\n                  .control the electrical power system at the alternate operating facility rely on the\n                   computer servers at the primary facility. Therefore, if the primary operating facility\n                   is destroyed, system operations would not be able to continue operating at the\n                   alternate facility. This region has a plan to construct an alternate operating\n                   facility that is independent of the primary facility. However, the region may not have\n                   fully evaluated the alternatives for establishing such a facility. Specifically,\n                   excluding labor cost, the region plans to spend approximately $3.4 million\n                   to establish a new building and set up its alternate operating facility, whereas the\n                   other regions used existing facilities and spent $70,000 to $1 million. The Upper\n                   Great Plains Region informally considered using existing facilities; however, these\n                   options were not included in a formal feasibility study. Further, the new alternate\n                   operating facility will only be 15 miles from the primary operating facility, and an\n                   all-hazard risk assessment was not performed to determine if the primary and\n                   alternate operating facility would be susceptible to the same hazards.\n\n                  Similarly, the Sierra Nevada Region's alternate operating facility is located only 8\n                  miles from the primary facility, but no all-hazard risk assessment was performed\n                  before the facility became operational. A review by a Western cyber security team\n                  indicated that both facilities are in the same flood plain and that a flood could\n                  dramatically affect this region's ability to function. The region is aware that the\n                  location may be subject to the same hazards and is planning to perform a study in\n                  Fiscal Year 2008 to determine if its alternate facility is in the best location, and if\n                                                                                                          not,\n                  where the best location would be.\n\n                  Devolution Plan\n\n                  Further, all four regions have a devolution strategy to operate the system manually\n                                                                                                       if\n                  both the primary and alternate facility become inoperable; however, the manual\n                  strategy in place at the four regions has not been fully developed. For example, the\n                  devolution strategy for the Sierra Nevada Region states that essential personnel\n                  should report to pre-determined official duty locations and monitor critical\n                  substations. However, its Continuity of Operations Plan does not specify these\n                  locations. Moreover, the Rocky Mountain Region intends to manually operate the\n                  system if both its primary and alternate facilities are rendered inoperable; however, it\n                  does not have detailed documented procedures for doing this.\n\n                  Federal Preparedness Circular 65\n\n                  These deficiencies generally occurred because Western concentrated primarily on\n                  meeting the North American Electric Reliability Corporation requirements;\n                  therefore, it was less familiar with the FPC 65. For instance, Western's regions did\n                  not fully develop devolution strategies because three of the regions were not aware\n                  of a 2004 update to the 1999 version of FPC 65, which added devolution planning as\n                  a requirement.\n\n                                                     2\n\x0c05/24/07   THU 12:03 FAX 865 241 3897              OIG                            *-', HQ                  [003\n\n\n\n\n                  SUGGESTED ACTIONS\n\n                  In.order to improve its ability to continue systems operations' essential functions in\n                  an emergency situation, we suggest that Western ensure that:\n\n                  1. The Upper Great Plains Region formally evaluate the alternative of using\n                     existing infrastructure for establishing a new alternate operating facility, which\n                     includes performing an all-hazard risk assessment and working with other\n                     regions to share ideas on developing a cost-effective alternate operating facility.\n\n                  2. The Sierra Nevada Region include an all-hazard risk assessment in its study of\n                     existing and possible future locations of its alternate operating facility.\n\n                  3. All of the regions prepare a formal devolution plan in accordance with FPC 65 to\n                     ensure continuity of operations.\n                  SCOPE AND METHODOLOGY\n\n                  The audit was performed between November 2006 and April 2007 at the Western\n                  Area Power Administration's four regions. The scope of the audit focused primarily\n                  on current continuity of operations strategies for Western's system operations.\n\n                  To accomplish the audit objective, we obtained and reviewed guidance relevant to\n                  continuity of operations; reviewed Western's continuity of operations plans;\n                  performed site visits at two of Western's regions; and held discussions with key\n                  officials responsible for continuity of operations planning.\n\n                  The audit was performed in accordance with generally accepted Government\n                  auditing standards for performance audits and included tests of internal controls and\n                  compliance with laws and regulations to the extent necessary to satisfy the audit\n                  objective. Accordingly, we assessed the Department's controls over continuity of\n                  operations for system operations. Because our review was limited, it would not\n                  necessarily have disclosed all internal control deficiencies that may have existed at\n                  the time of our audit. Also, we considered the establishment of performance\n                  measures in accordance with the Government Performanceand Results Act of 1993\n                  as they related to the audit objective. We found that the Department had not\n                  established performance measures. Additionally, we did not rely on computer-\n                  processed data during the audit; therefore, we did not conduct reliability assessments\n                  on the data.\n\n\n\n\n                                                   3\n\x0c05/24/07   THU 12:04 FAX 865 241 3897              OIG                          44 HQ                    004\n\n\n\n\n                   We discussed the audit results and suggested actions with Western officials for the\n                   various sites audited during the week of April 22, 2007. Because no formal\n                   recommendations are being made in this report, a formal response is not required.\n                   We appreciate the cooperation of your staff during our review.\n\n\n\n\n                                                         Fredrick G. Pieper, Director\n                                                         Energy, Science and Environmental\n                                                           Audits Division\n                                                         Office of Inspector General\n\n                  cc: Deputy Secretary\n                      Chief of Staff\n                      Team Leader, Audit Liaison Team, CF-1.2\n                      Audit Liaison, Western Area Power Administration\n\n\n\n\n                                                  4\n\x0c"